On Fri, Sep 26, 2008 at 10:17:04PM +1000, Steffen Joeris wrote: > On Tue, 23 Sep 2008 03:11:34 am Mike Hommey wrote: > > On Mon, Sep 22, 2008 at 05:51:02PM +1000, Steffen Joeris wrote: > > > Package: webkit > > > Severity: grave > > > Tags: security, patch > > > Justification: user security hole > > > > > > Hi, > > > the following CVE (Common Vulnerabilities & Exposures) ids were > > > published for webkit. > > > > > > CVE-2008-3950[0]: > > > | Off-by-one error in the > > > | _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in > > > | WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4 > > > | and 2.0 allows remote attackers to cause a denial of service (browser > > > | crash) via a JavaScript alert call with an argument that lacks > > > | breakable characters and has a length that is a multiple of the memory > > > | page size, leading to an out-of-bounds read. > > > > > > CVE-2008-3632[1]: > > > | Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through > > > | 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to > > > | execute arbitrary code or cause a denial of service (application > > > | crash) via a web page with crafted Cascading Style Sheets (CSS) import > > > | statements. > > > > > > If you fix the vulnerabilities please also make sure to include the > > > CVE ids in your changelog entry. > > > > > > Please don't get confused by the very Apple-centric descriptions, it > > > affects webkit. A fix for CVE-2008-3632 can be found here[2]. I am not > > > sure about CVE-2008-3950 and it might not affect the webkit package (I > > > couldn't even find the function mentioned), but I thought I'd mention it > > > as well, in case you have more information. > > > > It's also strange, as > > _web_drawInRect:withFont:ellipsis:alignment:measureOnly doesn't sound > > remotely related to the javascript alert() call. > I've had a look again and I don't see, how this CVE affects our debian > packages. > This leaves us with only one issue for webkit, did you consider the other > patch yet? I didn't see an obvious problem with it, but didn't test anything > yet. Did you intend to get 1.0.1-3 into lenny? I guess it would be good to go > through unstable with fixing the last CVE, what do you think?
1.0.1-3 is already due for Lenny. I'll test and upload 1.0.1-4 soon to unstable, including fix for CVE-2008-3632, and will go for 1.0.1-5 if CVE-2008-3950 appears to be a problem in debian. Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]